Removes Custom WAF Rules for log4j; Opens GHE to zScalar

AWS has implemented WAF rules.
GHE appears not vulnerable

To be tagged v3.3.1

base/github/securitygroups-load-balancers.tf

@@ -28,7 +28,7 @@ locals {
   #allowed_sources = local.zscalar_cidrs
   #allowed_sources = concat(var.trusted_ips, local.zscalar_cidrs)
   # salt masters only for the weekend
-  allowed_sources = concat(var.trusted_ips, local.salt_masters)
+  allowed_sources = concat(local.zscalar_cidrs, var.trusted_ips, local.salt_masters)
   #allowed_sources = [ "0.0.0.0/0" ]
 }
 

submodules/wafv2/waf.tf

@@ -84,56 +84,31 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
 #    }
   }
 
-  rule {
-    name = "Block_log4j_Exploit_20211210"
-    action {
-      block {}
-    }
-    priority = 110
-
-    #rule_label {
-    #  name = "xdr_custom:log4j"
-    #}
-
-    visibility_config {
-      cloudwatch_metrics_enabled = true
-      metric_name                = "Block_Log4j_exploit_20211210"
-      sampled_requests_enabled   = true
-    }
-
-    statement {
-      or_statement {
-        statement {
-          byte_match_statement {
-            field_to_match {
-              single_header {
-                name = "user-agent"
-              }
-            }
-            positional_constraint = "STARTS_WITH"
-            search_string = "$${jndi:" # ldap://"
-
-            text_transformation {
-              priority = 1
-              type     = "BASE64_DECODE"
-            }
-
-            #text_transformation {
-            #  priority = 3
-            #  type     = "HEX_DECODE"
-            #}
-
-            text_transformation {
-              priority = 5
-              type     = "LOWERCASE"
-            }
-          }
-        }
-
+#  rule {
+#    name = "Block_log4j_Exploit_20211210"
+#    action {
+#      block {}
+#    }
+#    priority = 110
+#
+#    #rule_label {
+#    #  name = "xdr_custom:log4j"
+#    #}
+#
+#    visibility_config {
+#      cloudwatch_metrics_enabled = true
+#      metric_name                = "Block_Log4j_exploit_20211210"
+#      sampled_requests_enabled   = true
+#    }
+#
+#    statement {
+#      or_statement {
 #        statement {
 #          byte_match_statement {
 #            field_to_match {
-#              method {}
+#              single_header {
+#                name = "user-agent"
+#              }
 #            }
 #            positional_constraint = "STARTS_WITH"
 #            search_string = "$${jndi:" # ldap://"
@@ -143,10 +118,10 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
 #              type     = "BASE64_DECODE"
 #            }
 #
-#            text_transformation {
-#              priority = 3
-#              type     = "HEX_DECODE"
-#            }
+#            #text_transformation {
+#            #  priority = 3
+#            #  type     = "HEX_DECODE"
+#            #}
 #
 #            text_transformation {
 #              priority = 5
@@ -155,10 +130,60 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
 #          }
 #        }
 #
+##        statement {
+##          byte_match_statement {
+##            field_to_match {
+##              method {}
+##            }
+##            positional_constraint = "STARTS_WITH"
+##            search_string = "$${jndi:" # ldap://"
+##
+##            text_transformation {
+##              priority = 1
+##              type     = "BASE64_DECODE"
+##            }
+##
+##            text_transformation {
+##              priority = 3
+##              type     = "HEX_DECODE"
+##            }
+##
+##            text_transformation {
+##              priority = 5
+##              type     = "LOWERCASE"
+##            }
+##          }
+##        }
+##
+##        statement {
+##          byte_match_statement {
+##            field_to_match {
+##              query_string {}
+##            }
+##            positional_constraint = "CONTAINS"
+##            search_string = "$${jndi:" # ldap://"
+##
+##            text_transformation {
+##              priority = 1
+##              type     = "BASE64_DECODE"
+##            }
+##
+##            #text_transformation {
+##            #  priority = 3
+##            #  type     = "HEX_DECODE"
+##            #}
+##
+##            text_transformation {
+##              priority = 5
+##              type     = "LOWERCASE"
+##            }
+##          }
+##        }
+#
 #        statement {
 #          byte_match_statement {
 #            field_to_match {
-#              query_string {}
+#              uri_path {}
 #            }
 #            positional_constraint = "CONTAINS"
 #            search_string = "$${jndi:" # ldap://"
@@ -179,34 +204,9 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
 #            }
 #          }
 #        }
-
-        statement {
-          byte_match_statement {
-            field_to_match {
-              uri_path {}
-            }
-            positional_constraint = "CONTAINS"
-            search_string = "$${jndi:" # ldap://"
-
-            text_transformation {
-              priority = 1
-              type     = "BASE64_DECODE"
-            }
-
-            #text_transformation {
-            #  priority = 3
-            #  type     = "HEX_DECODE"
-            #}
-
-            text_transformation {
-              priority = 5
-              type     = "LOWERCASE"
-            }
-          }
-        }
-      }  
-    }
-  }
+#      }  
+#    }
+#  }
   # Add additional custom rules here
 
   lifecycle {